IT SECURITY OPERATIONS

From Art to Science

Ian Lawden

CONTENTS

ContextThe Threat LandscapeThe Art of Decision MakingApplying The ScienceConclusion

2

CONTEXT

3

CONTEXT Threats Increasing (and more complex):

Cyber crime, Politically Motivated DoS New ‘Opportunities’ for breach

Off Shore services, Cloud Computing, Web2.0 IT Security Operations Managers having to make decisions that minimise

impact on business: Minimise Downtime, Avoid Restrictions, Reduce Costs

Pressure on funding: Need to justify investment

Repercussions are serious: Loss of system Loss of funds Loss of reputation

Loss of face - if the professionals get it wrong?4

POTENTIAL FOR CONTENTION?

ITIL Service Management Processes

Service Support Service Delivery

IncidentManagement

ProblemManagement

ChangeManagement

ReleaseManagement

ConfigurationManagement

Service LevelManagement

FinancialManagement

CapacityManagement

IT ContinuityManagement

AvailabilityManagement

5

Incident ManagementUser up and running quickly

versus preservation of Forensic Evidence

Change Management

Formal control versus Emergency (and risky)

response

Capacity ManagementSupport Business Objective versus ‘security seen as an

overhead

Availability Management

Customer satisfaction equates to ‘up time’ versus

security requires maintenance windows

THE THREAT LANDSCAPE

6

DefenceDefenceDefenceDefence

UsersUnder Attack

Electronic

Attack

Electronic Attack

THREATS

7

DefenceDefence

Internal Threat

DEFENCE IN DEPTH DefenceDefenceDefenceDefenceDefenceDefence

Organisation

Defence

SupplierPerformance

Operational Decision Making

CapabilityEffective risk Management

User Awareness

Training & Certification

Internal Awareness Training

Supplier Management

Stakeholder Engagement

Review, Analysis, Modelling

PILLARS OF VULNERABILITY

8

THE ‘ART’ OF DECISION MAKING

9

GUT REACTIONS ARE NOT ALWAYS RELIABLE

10

11

Slower, more conscious, effortful, and logical.

Instinctively understood,Controllable,Follows rules,

Requires evidence!

SYSTEM THINKING

12

Intuitive, quick, automatic, effortless, and influenced

by emotion,

Reliance increases when a situation is complex and a state of cognitive

overload is reached,

Decisive!

1 2

APPLYING THE SCIENCE

13

THE ANALYTICAL MODEL Problem Definition

Agree problem to be modelled

Model Construction Data gathering, and interviews with key stakeholders

Collect the information needed to build a model of enterprise security environment

Model Exploration “Execute” the model

Take measurements such as the time taken to patch or have other mitigations in place Run thousands of simulations

Different parameters Possible outcomes predicted through rigorous “what-if” analysis

Decision-making Understanding of the conclusions and consequences = improved decision making

14

Preparing and Responding

15

Operational Decision Making Defence in Depth

Desktop EstateAntivirus plus Buffer

Overflow

Network GatewayRestriction of

Administrative Privileges

Emails to

employees

(Awareness)

Temporary workarounds

Effective for 32% of vulnerability

cases

E,G, shutting down part of the

network

Protects the full client population

Up to 20 days to be received and

read

80% of OS or privilege

escalation exploits require admin

rights

Timeline

VULNERABILITY TIMELINE

Disclosure

Public exploit Code

Discovery

Zero day exploit

Malware

Patch Deployed

Not MeasurableOnly some groups aware – no public

data yet

SomePublicdata

Much Publicdata

Window of Exposure

Patching Process

16

Signature Available

Patch Available

RISK EXPOSURE – TRADITIONAL

17

0 20 40 60 80 100 120 140 160 180 More0

50

100

150

200

250

300

350

admin privs

network gateway

AV

Risk window in days

Vu

lner

abil

itie

s p

er y

ear

Exposure

RISK EXPOSURE – GATEWAY PROTECTION

18

Exposure (Internal)

0 20 40 60 80 100 120 140 160 180 More0

50

100

150

200

250

300

350

admin privs

network gateway

AV

email staff

Risk window in days

Vu

lner

abil

itie

s p

er y

ear

RISK EXPOSURE – ADMIN PRIVILEGES MINIMISED

19

0 20 40 60 80 100 120 140 160 180 More0

50

100

150

200

250

300

350

admin privs

network gateway

AV

email staff

patching

Risk window in days

Vu

lner

abil

itie

s p

er y

ear

Defence in Depth

DEFENCE IN DEPTH CONCLUSIONS A multi-layer approach can be effective to reduce risk

exposure A defence-in-depth position is less strong

If a vulnerability is not dealt with by network gateway security, it is likely a large proportion of the infrastructure will be vulnerable if malware appears

The threat environment should be regularly monitored For changes in malware and infection rates, and for new

spread vectors for example Timely patching remains important

To ensure the population of workstations no longer contains the vulnerability

20

CANDIDATES FOR EVALUATION Server Patching:

Exploring the trade-off between disruption created when applying fixes to servers, versus bundling patches to reduce disruption but in turn, increasing risk

Identity and Access Management Provisioning and De-provisioning

Web Access: Website blocking effectiveness Infection risk likelihood (based on employees' browsing habits). Fine-grained analytics:

Infection risk based on employees' age + preferences Website likelihood infection according to popularity/age Amount of time employees' spent on web

21

CONCLUSION

22

KEY MESSAGES A more scientific and analytical approach to risk mitigation

and defence posture is possible &: - Allows greater understanding of the effectiveness of an

organisation’s defences Supports IT Security Operations Managers in focusing on

key areas for attention The time is right to:

Evidence day to day decisions with historical data Influence future strategies and policies using more

structured techniques Carefully consider and challenge rationale for simply

deploying solutions that ‘make us feel better’23

Further Reading & Research

Anna Squicciarini, Sathya Dev Rajasekaran, Marco Casassa Mont - Using Modeling and Simulation to Evaluate Enterprises' Risk Exposures to Social Networks, IEEE Computer Magazine, Volume 44, Number 1, pp. 66-73, January 2011, 2011

Marco Casassa Mont, Yolanta Beres, David Pym, Simon Shiu - Economics of Identity and Access Management: Providing Decision Support for Investments, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010

Yolanta Beres, Marco Casassa Mont, Jonathan Griffin, Simon Shiu - Using Security Metrics Coupled with Predictive Modelling and Simulation to Assess Security processes, IEEE International Workshop on Security Measurements and Metrics, IEEE MetriSec 2009, 14 October, Lake Buena Vista, Florida, US

Adrian Baldwin, Marco Casassa Mont, Simon Shiu - Using Modelling and Simulation for Policy Decision Support in Identity Management, IEEE 10th Symposium on Policies for Distributed Systems and Networks, IEEE Policy 2009 Symposium, 20-22 July, London, 2009

Yolanta Beres, Jonathan Griffin, Max Heitman, David Markle, Peter Ventura, “Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Windows”, Proc. of 2008 ACSAC, Dec 2008.

Yolanta Beres, David Pym, Simon Shiu, “Decision Support For Systems Security Investment”, 5th IFIP/IEEE Workshop on Business-driven IT Management - BDIM 2010, 19 April 2010, Osaka, Japan, 2010

24